Two of the region’s major hospitals dodged a legal bullet last week when the state’s highest court ruled that a 1968 wiretap law didn’t prohibit the hospital’s use of software that tracked visitors to its website and shared that information with third parties whose aim is basically to make a buck off that data.
In a 5-1 ruling, the Supreme Judicial Court found in the case brought against Beth Israel Deaconess Medical Center and New England Baptist Hospital that those ubiquitous internet cookies and the hospitals’ sharing of site visitors’ browsing history wasn’t the kind of interpersonal “communications” covered by existing state law.
While case law has expanded the parameters of the wiretap statute to other technologies unknown in the ’60s — cellphones, email — the court decided that cookies are so different that they would require new legislation.
Advertisement
“If the Legislature intends for the wiretap act’s criminal and civil penalties to prohibit the tracking of a person’s browsing of, and interaction with, published information on websites, it must say so expressly,” Justice Scott Kafker wrote for the majority.
The hospitals were sued by a Revere woman, Kathleen Vita, who claimed that she used the websites to look up certain doctors and medical information on behalf of her husband and only learned belatedly that the sites made use of AdTech software, allowing the sharing of data with a group that included Meta Pixel and Google Analytics.
There were no allegations that personal information, such as that stored on patient portals, was shared or put at risk.
In its ruling against Vita, the court drew a distinction between the kind of person-to-person communication as addressed in the wiretap act and the website search that became the subject of the lawsuit (one of numerous similar state and federal lawsuits around the country).
Advertisement
“Ultimately, we cannot conclude that the wiretap act unambiguously prohibits and, indeed, criminalizes the interception of web browsing activity, because there appears to be a difference in kind and not degree between interactions on a website available to the public and private conversations in your house or on your telephone,” Kafker wrote. “Browsing and accessing the information published on a website is significantly different from having a conversation or sending a message to another person.”
But Kafker also made clear on behalf of the court that just because it’s not illegal, doesn’t make it right.
“Make no mistake, the hospitals’ alleged conduct here raises serious concerns,” he added. “And we do not in any way minimize the serious threat to privacy presented by the proliferation of third-party tracking of an individual’s website browsing activity for advertising purposes. These concerns, however, should be addressed to the Legislature.”
It was one issue on which the majority and the sole dissenting judge, Justice Dalila Wendlandt, found common ground. While Wendlandt characterized the third-party tracking as “secret surveillance,” she also noted, “Lamentably, the court is right about one thing; the Legislature will need to correct today’s error.”
“That’s why the Legislature needs to go back and reassess any number of laws and determine how technology has affected those statutes already on the books,” said Senator Michael Moore, chair of the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity. “And right now there are no restrictions on the collection of data.”
Advertisement
The Millbury Democrat and House Chair Tricia Farley-Bouvier of Pittsfield announced agreement on a wide-ranging Data Privacy Act in May. It has been held in the House Ways and Means Committee ever since.
“This would protect consumers from the commercialization of their data,” Moore said. “This would cover exactly what the hospitals were doing.”
A spokesperson for Beth Israel Lahey Health, the corporate parent of both hospitals, said following the SJC decision, “We remain committed to appropriately protecting the privacy of all our patients. If the Legislature chooses to provide clearer and consistent rules of the road for all organizations to follow in this area going forward, we would welcome such action.”
Of course, the issue is far broader than hospitals, and even Moore concedes that his still-stalled legislation can’t prevent people from simply clicking that “I accept” button. But it can require “data minimization” standards to restrict data holders to collecting and processing only “reasonably necessary” data, proportional to their purpose. It would also require, Moore said, “clear consent” and that those disclaimers would be displayed “in a clear and conspicuous manner.”
It also would ban the commercial sale of geolocation information and targeted advertising to minors and provides added protections for certain kinds of especially sensitive personal data such as race, immigration status, or the status of a victim of crime.
In short, it does what the court suggested needs to be done, plus quite a bit more. The Legislature shouldn’t need much more prodding than that to get this done — if not this session then surely in the next.
Advertisement
Editorials represent the views of the Boston Globe Editorial Board. Follow us @GlobeOpinion.
